How commercial suppliers can renew or get a GCN connectivity service compliance certificate so the service can be used by the PSN.
Apply for GCN connectivity service compliance certificate
If you’re a supplier and want to provide a GCN connectivity service you need to get it compliant and confirm to us that it meets certain obligations. Your connectivity service compliance certificate is awarded by the PSN compliance team.
There are 4 steps to renewing GCN connectivity compliance or getting it for the first time.
- Read and understand the PSN obligations for connectivity services
- Provide evidence that your service meets the necessary level of assurance
- Update your contact details
- Submit your application
If you’re applying for a GCN connectivity service compliance certificate for the first time you need to meet the requirements in the PSN DoU. Email us at email@example.com for further details.
A GCN connectivity service’s compliance certificate may be withdrawn at any time if it’s found that the service no longer meets the agreed standard.
Step 1: Read and understand the PSN obligations for connectivity services
When you submit your application you’ll need to confirm your organisation and your service meets a series of obligations. You will need to read and understand these obligations before you submit your application. The obligations are divided into:
Governance and service management
The Public Services Network (PSN) obligations for connectivity services collection contains documents that place governance and service management obligations on all PSN connectivity services, including GCN services. The Public Services Network (PSN) obligations for Government Conveyancing Network (GCN) services collection documents place further obligations on all GCN services.
The Public Services Network (PSN) technical interoperability documents and obligations for network services provide us with assurance that your network service will work seamlessly at a technical level with other PSN networks. The technical interoperability requirements focuses on Multiprotocol Label Switching (MPLS) configuration, Asynchronous System (AS) deployment, Quality of Service (QoS) classes, IP addressing and Domain Name Services.
We’ve also published a guide that lists all of the current Public Services Network (PSN) obligations.
Step 2: Provide evidence that your service meets the necessary level of assurance
You’ll need to provide us with evidence that your service meets the necessary level of assurance.
You must provide a current CAS(T) certificate and surveillance report. The surveillance report must not be older than 12 months old and must not have been used for your previous application.
You should read CESG’s policy and guidance to ensure you get the right controls assessed and you understand the audit cycle.
Provide your ITHC report
You will need to send us the report from your most recent ITHC. This lets us see what vulnerabilities exist in your infrastructure and what action you have taken or plan to take to fix or mitigate them.
Read the IT Health Check supporting guidance to ensure you get the scope right with your chosen ITHC supplier.
The ITHC report you send us must not be older than 12 months old and must not have been used for your previous application. If the report identifies any ‘critical’ or ‘high’ issues, you should either provide evidence that these issues have been resolved or a remediation action plan to address them.
Remediation action plan
If your ITHC report shows ‘critical’ or ‘high’ issues that you have not yet addressed, your submission should include a Remediation Action Plan (RAP) to address these issues. This RAP should include, as a minimum:
- specific actions to be undertaken
- planned start and finish dates for this work
- details of the ‘owner’ of this work (that is, the individual responsible for ensuring it is actually carried out)
- a ‘lessons learnt’ statement explaining how you will avoid the same issue being repeated in future
You can use this Remediation Action Plan (RAP) example template as a guide when preparing your RAP.
Step 3: Update your contact details
You will need to send us the contact details for important roles in your organisation. Providing these details allows the PSN team to make sure the right people are informed about service and security issues that may occur both in the PSN community and more widely. It’s important to keep these details updated and ensure the PSN team are informed of any changes.
Use the operational contact details form to provide the details or update the details that you have already sent us.
Step 4: Submit your application
When you’ve completed the above steps set out in this guide, your next step is to submit your application to us. You can do this using the PSN team contact centre online portal. Your application will need to be completed by your representative on the GCN Steering Committee.
When submitting your application through the portal you’ll need to complete the online submission form, which will ask you to:
- enter an email address (or sign-in if you already have an account)
- enter a message (just let us know what your application is for and if you have any further information or comments you’d like to include)
- enter your existing PSN compliance reference (if you’re renewing an application you can find it in our list of PSN-compliant services) - if this is a new application just ignore this bit
- select the type of PSN connectivity service your application is for
- confirm your service complies with the PSN obligations for connectivity services and the obligations that apply to GCN services by putting a check in the ‘I confirm..’ box
- attach the relevant documents: evidence that your service meets the necessary level of assurance and your updated contact details form
- verify you’re a human by putting a check in the ‘I’m not a robot’ box
- click ‘submit’ to send your application
What happens to your connectivity submission
The PSN team will review and validate your application. You might be contacted if it’s incomplete, to confirm or clarify details in your application or to ask for additional information.
If the PSN team identifies any issues in your application you may need to address these and resubmit.
When the PSN team has concluded its compliance review, they will make a decision as to whether your service can receive connectivity service compliance.
If the PSN team confirms your connectivity service compliance, we’ll let you know and we’ll include your GCN connectivity service compliance certificate. At this point, you may start to provide your service. Your certificate is valid for 12 months.
Providing your service once you receive your GCN connectivity service compliance certificate
When your organisation has received your GCN connectivity service compliance certificate you can provide your service to PSN customers. Read the Supply services over PSN guidance to find out how you can do this.
Published: 16 March 2016
Updated: 29 March 2016
- Step 2 copy revised to include reference to surveillance report
- Updated to reflect revised compliance process for connectivity services. This guide replaces the former accreditation process.
- First published.
From: Cabinet Office